Description of problem: vagrant has a tempfile race that can allow an unprivileged local user to insert arbitrary nfs exports. Version-Release number of selected component (if applicable): anything older than 1.8.7 Steps to Reproduce: See https://github.com/mitchellh/vagrant/issues/7938 Here's the exploit steps I provided to hashicorp's security email: 1. Attacker creates file ahead of time, writable so cp will succeed. touch /tmp/exports chmod a+rw /tmp/exports 2. Attacker uses inotifywait to watch for file modifications (indicating the cp) and immediately substitute or append an export that allows them to access files they shouldn't. 3. Vagrant user with sudo privs does "vagrant up". This does the cp/sed sequence on /tmp/exports. (If sudo asks for a password then the race is exceptionally in the attacker's favor) Additional info: It's fixed in 1.8.7.
This is already public and has an upstream patch available, we can update the packages in Fedora to the latest upstream version to prevent it. There is no CVE assignment and the issue is lower because it needs local access.
vagrant-1.8.5-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5a625412c2
vagrant-1.8.1-5.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-24ffcb9a47
vagrant-1.8.1-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7b335750d8
vagrant-1.8.5-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5a625412c2
vagrant-1.8.1-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7b335750d8
vagrant-1.8.1-5.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-24ffcb9a47
vagrant-1.8.1-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
vagrant-1.8.1-5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
vagrant-1.8.5-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.